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RELATED APPLICATIONS 

[0001] The present invention is related to the following copending and commonly 
assigned United States patent applications: serial number [30014510-1] entitled System and 
Method for Partitioning a Storage Area Network Associated Data Library, filed December 
28, 2001; serial number [3001451 1-1] entitled System and Method for Partitioning a Storage 
Area Network Associated Data Library Employing Element Addresses, filed December 28, 
2001; serial number [30014512-1] entitled System and Method for Managing Access To 
Multiple Devices in a Partitioned Data Library, filed December 28, 2001 ; serial number 
[30014513-1] entitled System and Method for Peripheral Device Virtual Functionality 
Overlay, filed December 28, 2001; serial number [30014515-1] entitled System and Method 
for Securing Drive Access to Data Storage Media Based On Medium Identifiers, filed 
December 28, 2001; serial number [30014516-1] entitled System and Method for Securing 
Fiber Channel Drive Access in a Partitioned Data Library, filed December 28, 2001; serial 
number [30014517-1] entitled Method for Using Partitioning to Provide Capacity on Demand 
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in Data Libraries, filed December 28, 2001; serial number [30014518-1] entitled System and 
Method for Intermediating Communication with a Moveable Media Library Utilizing a 
Plurality of Partitions, filed December 28, 2001; and serial number [30008195-1], entitled 
System and Method for Managing a Moveable Media Library with Library Partitions, filed 
December 28, 2001 ; the disclosures of which are hereby incorporated herein by reference. 

TECHNICAL FIELD 

[0002] The present invention is generally related to data storage and specifically 
to systems and methods for securing drive access to media based on medium identification 
numbers. 

BACKGROUND 

[0003] One of the most attractive aspects of a storage area network (SAN) is that 
network connectivity enables a company to efficiently use storage by sharing storage capacity 
among a number of servers. This may be implemented using a large number of small 
capacity storage devices. However, unless sufficiently robust management software is 
employed, such use of small capacity devices in a SAN may result in significant management 
overhead. Most users prefer to install large capacity storage devices and partition the 
device(s), assigning each partition to a different server. For example, existing firmware for 
enterprise level disk arrays allow users to define multiple redundant arrays of independent 
disks (RAID), where each RAID set appears as a different logical unit number (LUN). Each 
one of these LUNs may be dedicated to a different server. 

[0004] In certain SAN usage scenarios, such as may arise for storage service 
providers (SSPs), there are multiple customers attempting to share common SAN resources. 
In such cases, there is a need to ensure that a customer can only see and access the storage 
resources it has been allocated and prevent the customer from accessing storage of other SAN 
customers. For example, if a customer stores their critical business data with a SSP, then 
they generally do not want other customers of the SSP reading their data or even being aware 
that the customer has information stored with the SSP. To isolate user data in a data library 
the library may be partitioned. Typically, special hardware or special backup software as 
described below has been used to implement partitioning. However, a problem may arise in a 
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partitioned library if a medium is accidentally placed in a wrong slot by a library operator. 
This may allow this medium to be read by another customer or by a user of another partition. 

[0005] Existing software-based data library partitioning solutions typically 
employ a host system that restricts access to portions of a tape library. The host restrictions 
are implemented by a mediating (software) process on a host system to enforce partition 
restrictions. However, this approach is problematic. Specifically, the approach is undesirable 
if the data library is utilized in a SSP environment. In SSP environments, the data library and 
the host systems belong to different entities (e.g., the SSP and the customers). Placement of 
software mediating processes on host systems is unattractive, because it increases the burden 
on the customers to make use of the storage service. Moreover, many customers are 
unwilling to allow other parties to place software on their host systems. Additionally, the 
software mediating process approach is typically incompatible with existing data back-up 
utilities, i.e., the software mediating process approach requires the use of specialized data 
back-up applications. Hence, users are effectively denied the ability to run desired backup 
software. 

[0006] An additional problem may arise in that a library operator may 
accidentally place a medium in an incorrect storage slot within a partitioned data library or in 
an entirely incorrect data library within an SSP's facility. This may allow this misplaced 
medium to be read by an SSP customer or user other than the owner of the information on the 
misplaced medium. 

[0007] The use of memory in a tape cartridge, generally referred to as cartridge 
memory (CM), is known in the art. Existing cartridges and drives store information in the 
CM such as how many times a tape has been loaded, a cassette serial number, what was last 
written on the tape, what block was last written to on the tape and/or the tape error rate. 
Conventionally this information facilitates setting up the tape when it is inserted back into a 
drive. For example, each time a tape cartridge with CM is inserted into a drive, the CM is 
read during initialization of the drive. During the drive initialization sequence, the drive 
reads the memory, diagnoses the tape, recognizes the tape format and where writing should 
begin. Additionally, information in the memory about error rate and/or number of loads can 
help diagnose failing tapes. Such CM may also be referred to as memory in cartridge (MIC). 
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SUMMARY OF THE INVENTION 

[0008] A method for securing access to a data medium comprises recording a 
unique identification number assigned to each medium in at least a portion of a data library, 
and commanding at least one selected data transfer element in the library to only accept 
media having particular ones of the identification numbers. 

[0009] Another embodiment of the present method for securing access to data 
media in a particular partition of a partitioned data library comprises listing identification 
numbers of media that data transfer elements in the partition are allowed to access in memory 
storage of the data transfer elements in the partition, reading an identification number of a 
selected medium, checking the memory storage of a data transfer element receiving the 
selected medium for the identification number of the selected medium, and accessing the 
selected medium in response to the identification number of the selected medium being 
present in the memory storage of the data transfer element receiving the selected medium. 

[0010] An embodiment of a partitioned data library employing the present 
invention comprises data storage media, each medium of the media having an identification 
number, a plurality of storage element slots each of the slots adapted to store a medium of the 
data storage media, at least one set of at least one of the slots assigned to one partition of a 
plurality of library partitions, and a plurality of data transfer elements that are adapted to 
receive the media and transfer data to and from the media, each of at least one set of at least 
one of the data transfer elements assigned to one of the library partitions, wherein access to 
the media by each of the data transfer elements is restricted to media having particular ones 
of the identification numbers. 

BRIEF DESCRIPTION OF THE DRAWING 

[0011] FIGURE 1 is a diagrammatic illustration of a SAN operating consistent 
with the teachings of the present invention; 

[0012] FIGURE 2 is a diagrammatic illustration of an example of a data library 
employing a preferred embodiment of the present invention; 

[0013] FIGURE 3 is a flow chart of initialization of the present method according 
to a preferred embodiment; and 
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[0014] FIGURE 4 is a flow chart of operation of the present method according to 
a preferred embodiment. 

DETAILED DESCRIPTION 

[0015] The present invention is directed to systems and methods that provide 
medium-based security within a data library based on an identification number associated 
with a medium. The present system and method provides a failsafe for secure data library 
partitioning by limiting access to certain media at the drives themselves. 

[0016] A SAN attached data library may be logically partitioned into many 
smaller libraries without the use of special hardware or software. Each of the drives or data 
transfer elements in the library may be designated for use by a different host system that has 
free access to the library robotics controller as well as to the designated drives. Such a 
system and method is disclosed in copending U.S. Patent application serial number 
[30014510-1], "System and Method For Partitioning a Storage Area Network Associated 
Data Library". A set of drives and medium storage slots of the library are assigned to each 
partition. The movement of media is restricted to and from slots and drives within a partition. 
The drives in the library are preferably assigned a limited range of media that each drive may 
access for read/write functions. 

[0017] In accordance with the present invention, a CM-enabled drive, usually a 
fiber channel (FC)-connected drive, is preferably configured out-of-band in such a library, via 
a library automated control interface (ACI). Part of this configuration may include setting the 
drive up to only accept media that have particular serial numbers or other universally-unique 
identification numbers assigned to the media. These acceptable serial numbers are preferably 
stored in non- volatile random access memory (NVRAM) of the drive or another location 
readily accessible by firmware of the drive. The serial number may be encoded in a barcode 
disposed on the medium or stored in CM of the medium. Thus, each drive may be configured 
to disallow access to media that does not belong to the drive's partition and thereby a tape or 
other medium cannot be read by a drive in the wrong partition. Preferably these serial 
numbers or unique identification numbers are universally unique. For example a universally 
unique serial number of a medium with CM is permanently stored in the medium's CM at 
manufacture. However, a unique identification number, such as may be encoded in a 
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barcode, may only be unique within a physical library, in order to differentiate between 
partitions. Barcode encoded identification numbers unique within a SSP may be employed to 
insure a medium is not placed in an improper physical library. Advantageously, this system 
and method will work with tape cartridges with no cartridge memory (CM) or other media by 
using the aforementioned barcodes. The present system and method allows either manual or 
automatic initialization of a data library to read the serial numbers from specified media. 

[0018] Turning to FIGURE 1 , SAN 1 00 is shown. By way of example, first and 
second customer servers 101 and 102 are connected to SAN 100 viaFC switch 103. RAID 
104 may be partitioned, assigning first partition 105 to server 101 and second partition 106 to 
server 102 using existing LUN-based RAID partitioning methods. Zero downtime backups 
(ZDBs) may be performed of the data each server has on the RAID to data library 108, via 
ZDB interconnectivity 107 between RAID 104 and data library 108. Such ZDBs preferably 
employ data-mover firmware embodied in RAID 104 or other elements of SAN 100. ZDBs 
are preferably carried out without impinging on the processor operations or LAN capacity of 
servers 101 and 102. Data library 108 is preferably partitioned in such a manner as to insure 
that data for server 101 is maintained in partition 109 separate from data for server 102, and 
that the data of server 102 is maintained in partition 110 separate from data for server 101. 
Such partitioning facilitates restricting access such that the servers may not access each 
other's data even though both servers' data is maintained in the same physical library. 

[0019] Data tape library 200 employing a preferred embodiment of the present 
system and method is illustrated in FIGURE 2 as an example of a library that may be 
employed as library 108 of FIGURE 1. However, other library designs and/or capacities may 
embody the present system and method. Exemplar data tape library 200 has four data transfer 
elements or drives 201-204, forty media storage element slots 205 organized into four trays 
206-209 often slots 205 each, two FC-to-SCSI bridges 210 and 211, a library management 
interface card or remote management card (RMC) 212 and library controller 213. Drives 
201-204, FC-to-SCSI bridges 210 and 21 1, RMC 212 and library controller 213 preferably 
communicate with each other preferably using an inter-integrated circuit (I 2 C) bus, shown 
here as automated control interface (ACI) 214, or the like. 

[0020] For partitions employed by the present system and method, at least one 
drive should be assigned to each partition. Drives 201-204 are preferably enabled to read 
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CM, thereby allowing a drive to read a serial number residing in CM of a medium disposed in 
the drive. Additionally drives 201-204 may incorporate barcode readers to read barcodes 
disposed on a medium received by a drive. Preferably, media slots 205 are also assigned to 
each partition to house the media assigned to the partition. A virtual library controller should 
be addressable with respect to each partition to control movement of media between the slots 
and drives by library robotics 220. Library robotics 220 may employ a barcode and/or a CM 
reader used for initialization of one embodiment of the present invention and/or for reading 
the serial numbers of media during transport in an embodiment of the present invention, as 
detailed below. 

[0021] The example partitioning shown in FIGURE 2 is indicated by boxes 215, 
216 and 217. As illustrated, LUN0 corresponds to partition 215, LUN1 corresponds to 
partition 216, and LUN2 corresponds to partition 217. Finally, import/export elements or 
mailslots may be assigned to each partition or configured for use by the entire physical 
library. Preferably, easily-accessible media storage slots may be configured as mailslots by 
the present invention. 

[0022] The present method may be used to move responsibility for limiting access 
to certain media down to the drive and medium level. Turning to FIGURE 3, preferred 
method for initialization of the present invention is illustrated and broadly designated by the 
number 300. Recordation of serial numbers is preferably coordinated by the RMC. The 
RMC directs the library controller to perform an off-line initialization sequence, for example 
an inventory of specified partitions of the library, box 301 . The RMC then sends a command 
at box 302 to drives in a partition, via the library controller and the ACI, clearing the list of 
allowed serial numbers for each drive in the partition. Then another command is sent to the 
partition drives at box 303 to store a new list of allowed serial numbers. Preferably, the 
library robotics employ a barcode reader and/or a CM reader to read a serial number of each 
medium in the slots assigned to each partition at box 304. Alternatively, a medium may be 
removed from a slot and inserted into a drive to read the medium's serial number from CM; 
or to read the medium's serial number from a barcode disposed on the medium, employing a 
barcode reader incorporated into the drive. As a further alternative, the serial numbers may 
be manually entered via a web browser interface or the like for the RMC. The library 
controller preferably writes the serial numbers of media disposed in the slots of a partition to 
NVRAM of drives in the partition, via the ACI at box 305. 
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[0023] Preferred method of operation 400 of the present invention is illustrated in 
FIGURE 4. In a library initialized as illustrated in FIGURE 3 and described above, a 
medium may be loaded into a drive by the library at box 401, and at box 402 the library 
robotics and/or the drive itself reads a barcode, disposed on the medium, employing a 
barcode reader incorporated into the library robotics or the drive, respectively. Alternatively 
or additionally, at box 402, a cartridge serial number may be read from CM by the drive or by 
a CM reader incorporated into the library robotics. Drive firmware checks to see whether the 
serial number of the medium is in the NVRAM of the drive at box 403 . If at box 404 the 
serial number is in the NVRAM, then the drive recognizes that medium as belonging to the 
same partition as the drive, and preferably enables the connected host system to have 
unhindered read/write access to the medium at box 405. If, however, the drive does not find 
the serial number in its NVRAM at 404, then preferably the drive immediately ejects the 
medium at box 406 and thus denying the accessing host access to the medium. 

[0024] The present system is preferably tamper-proof, in that the drive firmware 
enforces access control, and preferably the firmware or NVRAM contents cannot be changed 
by the end user. So even if the user has unrestricted access to both the drives and library 
robotics at the command level, the user cannot defeat the access controls. Specifically, the 
identifier checking mode of a drive preferably may not be altered in band , such as by a SCSI 
command. Such an alteration is preferably only allowed to be carried out out-of-band, over 
the ACL This out-of band alteration preferably may only be made over a LAN connected to 
the RMC, which in turn communicates over on an I 2 C to the library controller or via the 
library front panel. As indicated above, the controller communicates with the drives over an 
ACL This isolation of control and security facilitates use of conventional, unmodified 
backup application software by a user rather than a software dictated by a SSP because the 
drive firmware can enforce drive access limit access. 

[0025] The drives may also be configured to not check the identifier resulting in 
an unsecured setting at the drive level. This is preferably the default setting of the drives in a 
partitioned data library and allows media to be read in a standalone tape drive such as at a 
customer's premises. 
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